|
It's great that this exists. Many typical users are still befuddled by multifactor authentication, and the one thing that helps is practice. Unfortunately, by having all these islands of identity, the frequency of interaction for many of them ends up being low, resulting in users forgetting they enabled MFA and the associated recovery costs. There have been technologies to try to bridge the identity islands -- social login (which previously created trust issues through OAuth abuse - many resolved, but trust is hard to win back), Mozilla persona and others. But, at the end, the hostility of end user identity is still a problem that needs to be solved in such a way that end users have good authentication choices (no more bad security questions, for example) with good security attributes (low replay, discoverability and guessability, for example) with good usability. Ideally, an end user should be able to choose an identity provider, trust them, and then use that identity provider across multiple services. I know that some companies are working on this, but it still tends to be in islands, rather than an industry group, for example, dedicated to making it work. At this point, a de facto standard may be the best thing. I've been in meetings with IAM architects at large banks who scoff at social login because they don't want to trust social login security, yet their own end user security is marginal. Some honest conversations need to happen in this space to help move things forward. Better identity infrastructure for end users will help service providers. |